ILIAS  Release_5_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilSecuritySettings.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
34 class ilSecuritySettings
35 {
36  public static $SECURITY_SETTINGS_ERR_CODE_AUTO_HTTPS = 1;
37  public static $SECURITY_SETTINGS_ERR_CODE_HTTP_NOT_AVAILABLE = 2;
38  public static $SECURITY_SETTINGS_ERR_CODE_HTTPS_NOT_AVAILABLE = 3;
39 
40  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MIN_LENGTH = 4;
41  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_LENGTH = 5;
42  const SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_AGE = 6;
43  const SECURITY_SETTINGS_ERR_CODE_INVALID_LOGIN_MAX_ATTEMPTS = 7;
44  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN1 = 11;
45  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN2 = 8;
46  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN3 = 9;
47  const SECURITY_SETTINGS_ERR_CODE_PASSWORD_MAX_LENGTH_LESS_MIN_LENGTH = 10;
48 
49  private static $instance = null;
50  private $db;
51  private $settings;
52 
53  private $https_enable;
54 
55  const DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED = true;
56  const DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED = false;
57  const DEFAULT_PASSWORD_MIN_LENGTH = 8;
58  const DEFAULT_PASSWORD_MAX_LENGTH = 0;
59  const DEFAULT_PASSWORD_MAX_AGE = 90;
60  const DEFAULT_LOGIN_MAX_ATTEMPTS = 5;
61 
62  const DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED = false;
63  const DEFAULT_PREVENT_SIMULTANEOUS_LOGINS = false;
64 
65  private $password_chars_and_numbers_enabled = self::DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED;
66  private $password_special_chars_enabled = self::DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED;
67  private $password_min_length = self::DEFAULT_PASSWORD_MIN_LENGTH;
68  private $password_max_length = self::DEFAULT_PASSWORD_MAX_LENGTH;
69  private $password_max_age = self::DEFAULT_PASSWORD_MAX_AGE;
70  private $password_ucase_chars_num = 0;
71  private $password_lcase_chars_num = 0;
72  private $login_max_attempts = self::DEFAULT_LOGIN_MAX_ATTEMPTS;
73  private $password_must_not_contain_loginname = false;
74 
75  private $password_change_on_first_login_enabled = self::DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED;
76  private $prevent_simultaneous_logins = self::DEFAULT_PREVENT_SIMULTANEOUS_LOGINS;
77 
78  private $protect_admin_role = false;
79 
87  private function __construct()
88  {
89 
90  global $ilSetting,$ilDB;
91 
92  $this->db = $ilDB;
93  $this->settings = $ilSetting;
94 
95  $this->read();
96  }
97 
105  public static function _getInstance()
106  {
107  if(is_object(self::$instance))
108  {
109  return self::$instance;
110  }
111  return self::$instance = new ilSecuritySettings();
112  }
113 
114  public function getSecuritySettingsRefId()
115  {
116  return $this->ref_id;
117  }
118 
126  public function setPasswordCharsAndNumbersEnabled($a_chars_and_numbers_enabled)
127  {
128  $this->password_chars_and_numbers_enabled = $a_chars_and_numbers_enabled;
129  }
130 
138  public function isPasswordCharsAndNumbersEnabled()
139  {
140  return $this->password_chars_and_numbers_enabled;
141  }
142 
150  public function setPasswordSpecialCharsEnabled($a_password_special_chars_enabled)
151  {
152  $this->password_special_chars_enabled = $a_password_special_chars_enabled;
153  }
154 
162  public function isPasswordSpecialCharsEnabled()
163  {
164  return $this->password_special_chars_enabled;
165  }
166 
172  public function setPasswordMinLength($a_password_min_length)
173  {
174  $this->password_min_length = $a_password_min_length;
175  }
176 
182  public function getPasswordMinLength()
183  {
184  return $this->password_min_length;
185  }
186 
192  public function setPasswordMaxLength($a_password_max_length)
193  {
194  $this->password_max_length = $a_password_max_length;
195  }
196 
202  public function getPasswordMaxLength()
203  {
204  return $this->password_max_length;
205  }
206 
212  public function setPasswordMaxAge($a_password_max_age)
213  {
214  $this->password_max_age = $a_password_max_age;
215  }
216 
222  public function getPasswordMaxAge()
223  {
224  return $this->password_max_age;
225  }
226 
232  public function setLoginMaxAttempts($a_login_max_attempts)
233  {
234  $this->login_max_attempts = $a_login_max_attempts;
235  }
236 
242  public function getLoginMaxAttempts()
243  {
244  return $this->login_max_attempts;
245  }
246 
252  public function setHTTPSEnabled ($value)
253  {
254  $this->https_enable = $value;
255  }
256 
262  public function isHTTPSEnabled ()
263  {
264  return $this->https_enable;
265  }
266 
274  public function setPasswordChangeOnFirstLoginEnabled($a_password_change_on_first_login_enabled)
275  {
276  $this->password_change_on_first_login_enabled = $a_password_change_on_first_login_enabled;
277  }
278 
286  public function isPasswordChangeOnFirstLoginEnabled()
287  {
288  return $this->password_change_on_first_login_enabled;
289  }
290 
295  public function isAdminRoleProtected()
296  {
297  return (bool) $this->protect_admin_role;
298  }
299 
304  public function protectedAdminRole($a_stat)
305  {
306  $this->protect_admin_role = $a_stat;
307  }
308 
313  public function checkAdminRoleAccessible($a_usr_id)
314  {
315  global $rbacreview;
316 
317  if(!$this->isAdminRoleProtected())
318  {
319  return true;
320  }
321  if($rbacreview->isAssigned($a_usr_id,SYSTEM_ROLE_ID))
322  {
323  return true;
324  }
325  return false;
326  }
327 
333  public function save()
334  {
335  $this->settings->set('https',(int) $this->isHTTPSEnabled());
336 
337  $this->settings->set('ps_password_chars_and_numbers_enabled',(bool) $this->isPasswordCharsAndNumbersEnabled());
338  $this->settings->set('ps_password_special_chars_enabled',(bool) $this->isPasswordSpecialCharsEnabled());
339  $this->settings->set('ps_password_min_length',(int) $this->getPasswordMinLength());
340  $this->settings->set('ps_password_max_length',(int) $this->getPasswordMaxLength());
341  $this->settings->set('ps_password_max_age',(int) $this->getPasswordMaxAge());
342  $this->settings->set('ps_login_max_attempts',(int) $this->getLoginMaxAttempts());
343  $this->settings->set('ps_password_uppercase_chars_num', (int) $this->getPasswordNumberOfUppercaseChars());
344  $this->settings->set('ps_password_lowercase_chars_num', (int) $this->getPasswordNumberOfLowercaseChars());
345  $this->settings->set('ps_password_must_not_contain_loginame', (int) $this->getPasswordMustNotContainLoginnameStatus());
346 
347  $this->settings->set('ps_password_change_on_first_login_enabled',(bool) $this->isPasswordChangeOnFirstLoginEnabled());
348  $this->settings->set('ps_prevent_simultaneous_logins', (int)$this->isPreventionOfSimultaneousLoginsEnabled());
349  $this->settings->set('ps_protect_admin', (int) $this->isAdminRoleProtected());
350  }
358  private function read()
359  {
360  global $ilDB;
361 
362  $query = "SELECT object_reference.ref_id FROM object_reference,tree,object_data ".
363  "WHERE tree.parent = ".$ilDB->quote(SYSTEM_FOLDER_ID,'integer')." ".
364  "AND object_data.type = 'ps' ".
365  "AND object_reference.ref_id = tree.child ".
366  "AND object_reference.obj_id = object_data.obj_id";
367  $res = $this->db->query($query);
368  $row = $res->fetchRow(DB_FETCHMODE_ASSOC);
369  $this->ref_id = $row["ref_id"];
370 
371  $this->https_enable = (boolean) $this->settings->get('https', false);
372 
373  $this->password_chars_and_numbers_enabled = (bool) $this->settings->get('ps_password_chars_and_numbers_enabled', self::DEFAULT_PASSWORD_CHARS_AND_NUMBERS_ENABLED);
374  $this->password_special_chars_enabled = (bool) $this->settings->get('ps_password_special_chars_enabled', self::DEFAULT_PASSWORD_SPECIAL_CHARS_ENABLED);
375  $this->password_min_length = (int) $this->settings->get('ps_password_min_length', self::DEFAULT_PASSWORD_MIN_LENGTH);
376  $this->password_max_length = (int) $this->settings->get('ps_password_max_length', self::DEFAULT_PASSWORD_MAX_LENGTH);
377  $this->password_max_age = (int) $this->settings->get('ps_password_max_age', self::DEFAULT_PASSWORD_MAX_AGE);
378  $this->login_max_attempts = (int) $this->settings->get('ps_login_max_attempts', self::DEFAULT_LOGIN_MAX_ATTEMPTS);
379  $this->password_ucase_chars_num = (int) $this->settings->get('ps_password_uppercase_chars_num', 0);
380  $this->password_lcase_chars_num = (int) $this->settings->get('ps_password_lowercase_chars_num', 0);
381  $this->password_must_not_contain_loginname = $this->settings->get('ps_password_must_not_contain_loginame', 0) == '1' ? true : false;
382 
383  $this->password_change_on_first_login_enabled = (bool) $this->settings->get('ps_password_change_on_first_login_enabled', self::DEFAULT_PASSWORD_CHANGE_ON_FIRST_LOGIN_ENABLED);
384  $this->prevent_simultaneous_logins = (bool) $this->settings->get('ps_prevent_simultaneous_logins', self::DEFAULT_PREVENT_SIMULTANEOUS_LOGINS);
385 
386  $this->protect_admin_role = (bool) $this->settings->get('ps_protect_admin',$this->protect_admin_role);
387  }
388 
394  public function validate(ilPropertyFormGUI $a_form = null)
395  {
396  $code = null;
397 
398  if ($a_form)
399  {
400  include_once "Services/PrivacySecurity/classes/class.ilObjPrivacySecurityGUI.php";
401  }
402 
403  include_once './Services/Http/classes/class.ilHTTPS.php';
404 
405  if ($this->isHTTPSEnabled())
406  {
407  if(!ilHTTPS::_checkHTTPS())
408  {
409  $code = ilSecuritySettings::$SECURITY_SETTINGS_ERR_CODE_HTTPS_NOT_AVAILABLE;
410  if(!$a_form)
411  {
412  return $code;
413  }
414  else
415  {
416  $a_form->getItemByPostVar('https_enabled')
417  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
418  }
419  }
420  }
421 
422  if( $this->getPasswordMinLength() < 0 )
423  {
424  $code = self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MIN_LENGTH;
425  if(!$a_form)
426  {
427  return $code;
428  }
429  else
430  {
431  $a_form->getItemByPostVar('password_min_length')
432  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
433  }
434  }
435 
436  if( $this->getPasswordMaxLength() < 0 )
437  {
438  $code = self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_LENGTH;
439  if(!$a_form)
440  {
441  return $code;
442  }
443  else
444  {
445  $a_form->getItemByPostVar('password_max_length')
446  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
447  }
448  }
449 
450  $password_min_length = 1;
451 
452  if($this->getPasswordNumberOfUppercaseChars() > 0 || $this->getPasswordNumberOfLowercaseChars() > 0)
453  {
454  $password_min_length = 0;
455  if($this->getPasswordNumberOfUppercaseChars() > 0)
456  {
457  $password_min_length += $this->getPasswordNumberOfUppercaseChars();
458  }
459  if($this->getPasswordNumberOfLowercaseChars() > 0)
460  {
461  $password_min_length += $this->getPasswordNumberOfLowercaseChars();
462  }
463  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN1;
464  }
465 
466  if( $this->isPasswordCharsAndNumbersEnabled() )
467  {
468  $password_min_length++;
469  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN2;
470 
471  if( $this->isPasswordSpecialCharsEnabled() )
472  {
473  $password_min_length++;
474  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN3;
475  }
476  }
477  else if($password_min_length > 1 && $this->isPasswordSpecialCharsEnabled())
478  {
479  $password_min_length++;
480  $password_min_length_error_code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MIN_LENGTH_MIN3;
481  }
482 
483  if( $this->getPasswordMinLength() > 0 && $this->getPasswordMinLength() < $password_min_length )
484  {
485  $code = $password_min_length_error_code;
486  if(!$a_form)
487  {
488  return $code;
489  }
490  else
491  {
492  $a_form->getItemByPostVar('password_min_length')
493  ->setAlert(sprintf(ilObjPrivacySecurityGUI::getErrorMessage($code), $password_min_length));
494  }
495  }
496  if( $this->getPasswordMaxLength() > 0 && $this->getPasswordMaxLength() < $this->getPasswordMinLength() )
497  {
498  $code = self::SECURITY_SETTINGS_ERR_CODE_PASSWORD_MAX_LENGTH_LESS_MIN_LENGTH;
499  if(!$a_form)
500  {
501  return $code;
502  }
503  else
504  {
505  $a_form->getItemByPostVar('password_max_length')
506  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
507  }
508  }
509 
510  if( $this->getPasswordMaxAge() < 0 )
511  {
512  $code = self::SECURITY_SETTINGS_ERR_CODE_INVALID_PASSWORD_MAX_AGE;
513  if(!$a_form)
514  {
515  return $code;
516  }
517  else
518  {
519  $a_form->getItemByPostVar('password_max_age')
520  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
521  }
522  }
523 
524  if( $this->getLoginMaxAttempts() < 0 )
525  {
526  $code = self::SECURITY_SETTINGS_ERR_CODE_INVALID_LOGIN_MAX_ATTEMPTS;
527  if(!$a_form)
528  {
529  return $code;
530  }
531  else
532  {
533  $a_form->getItemByPostVar('login_max_attempts')
534  ->setAlert(ilObjPrivacySecurityGUI::getErrorMessage($code));
535  }
536  }
537 
538  /*
539  * todo: have to check for local auth if first login password change is enabled??
540  * than: add errorcode
541  */
542 
543  if(!$a_form)
544  {
545  return 0;
546  }
547  else
548  {
549  return !(bool)$code;
550  }
551  }
552 
558  public function isPreventionOfSimultaneousLoginsEnabled()
559  {
560  return (bool)$this->prevent_simultaneous_logins;
561  }
562 
568  public function setPreventionOfSimultaneousLogins($value)
569  {
570  $this->prevent_simultaneous_logins = (bool)$value;
571  }
572 
577  public function setPasswordNumberOfUppercaseChars($password_ucase_chars_num)
578  {
579  $this->password_ucase_chars_num = $password_ucase_chars_num;
580  }
581 
586  public function getPasswordNumberOfUppercaseChars()
587  {
588  return $this->password_ucase_chars_num;
589  }
590 
595  public function setPasswordNumberOfLowercaseChars($password_lcase_chars_num)
596  {
597  $this->password_lcase_chars_num = $password_lcase_chars_num;
598  }
599 
604  public function getPasswordNumberOfLowercaseChars()
605  {
606  return $this->password_lcase_chars_num;
607  }
608 
613  public function setPasswordMustNotContainLoginnameStatus($status)
614  {
615  $this->password_must_not_contain_loginname = $status;
616  }
617 
622  public function getPasswordMustNotContainLoginnameStatus()
623  {
624  return $this->password_must_not_contain_loginname;
625  }
626 }
627 ?>